Last week, it was reported that certain anonymous researcher published in the public domain details of the dangerous zero-day vulnerability in the vBulletin forum engine, as well as an exploit for it. Now experts record many attacks, and botnets actively use vBulletin vulnerability.The bug allows an attacker to execute shell commands on a vulnerable server. Moreover, an attacker just needs to use a simple HTTP POST request and does not need to have an account on the target forum, that is, the problem belongs to the unpleasant class of pre-authentication vulnerabilities.
A more detailed description of the problem soon appeared on GitHub, and a script was published on the network to search for vulnerable servers. Vulnerability received identifier CVE-2019-16759.
Read also: MageCart now attacks routers, not sites
Although at the end of last week, vBulletin developers broke too long silence and announced the release of a patch for vBulletin version 5.5.X, the attackers are already actively exploiting the problem.
“GreyNoise is observing opportunistic exploitation of the recent vBulletin 5.x remote code execution vulnerability (CVE-2019-16759), starting from several hundred devices around the Internet“, — report GreyNoise researchers.
Thus, experts from other information security companies confirm that botnet operators have already adopted the exploit.
“Opportunistic mass exploitation of CVE-2019-16759 has begun. It includes coordinated botnet activity and miscellaneous threat actors checking for hosts vulnerable RCE”, — write in their Twitter Bad Packets experts.
Moreover, attackers make sure that other attackers are not able to take advantage of the bug in vBulletin. So, having cracked a vulnerable server, the attackers make changes to the bbcode.php code, so that further execution of the commands requires a password. That is, the vulnerability is still preserved, though anyone can no longer take advantage of it, because to use the bug you need to know the password.
According to Bad Packets, attacks on CVE-2019-16759 now mostly come from Brazil, Vietnam, and India.
It is worth noting that Cloudflare experts have already become interested in massive attacks to refresh the vulnerability. So, a new rule has already been created for the WAF company, which detects attempts to exploit the bug and suppresses them. That is, Cloudflare clients with WAF enabled are not threatened.
vBulletin is among the most widely used website commenting systems and is probably used on tens of thousands—possibly hundreds of thousands—of sites. Fortunately, version 5x makes up less than 7% of active installations, according to W3techs, a site that surveys the software used across the Internet. Still, Internet searches like this one suggest that 10,000 or more sites may be running vulnerable versions.